b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                  Better Emergency Preparedness Planning\n                  Could Improve Business Continuity Efforts\n\n\n\n                                        February 13, 2009\n\n                              Reference Number: 2009-20-038\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-622-6500\n Email Address | inquiries@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                DEPARTMENT OF THE TREASURY\n                                                       WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                               February 13, 2009\n\n\n MEMORANDUM FOR COMMISSIONER\n\n FROM:                        Michael R. Phillips\n                              Deputy Inspector General for Audit\n\n SUBJECT:                     Final Audit Report \xe2\x80\x93 Better Emergency Preparedness Planning Could\n                              Improve Business Continuity Efforts (Audit # 200820029)\n\n This report presents the results of our review to determine whether the Internal Revenue Service\n (IRS) business continuity program ensures that employees can be protected and critical business\n processes and computer systems can be efficiently recovered during and after a disaster or\n emergency incident. We recently completed three separate reviews related to the business\n continuity program. The Government Accountability Office has also performed a recent review\n of IRS emergency planning.1 This report presents our overall assessment of the IRS business\n continuity program based on those reviews. This audit was included in the Treasury Inspector\n General for Tax Administration Fiscal Year 2008 Annual Audit Plan and was part of an overall\n strategy to evaluate the adequacy and viability of the suite of emergency plans2 the IRS has in\n place.\n\n Impact on the Taxpayer\n The IRS\xe2\x80\x99 ability to protect its employees and provide service to taxpayers during and after a\n major disruption is dependent on the effective preparation of four integrated plans called the\n Business Continuity \xe2\x80\x9cSuite of Plans.\xe2\x80\x9d However, many of the plans we reviewed were not up to\n date, have not been adequately tested, and did not contain sufficient detail to be effective. The\n deficiencies in the plans could affect the IRS\xe2\x80\x99 ability to process 235 million tax returns, issue\n $295 billion in refunds, and collect $2.7 trillion in revenue each year.\n\n\n\n 1\n   See reports listed in Appendix IV.\n 2\n   The occupant emergency plan, the incident management plan, the business resumption plan, and the disaster\n recovery plan.\n\x0c                          Better Emergency Preparedness Planning Could\n                                Improve Business Continuity Efforts\n\n\n\n\nSynopsis\nRedundant operations and experience with major disasters have strengthened the IRS business\ncontinuity program. Each critical process is carried out at multiple locations, allowing the IRS to\ntake advantage of its experienced workforce and similarly situated facilities to recover from a\ndisaster. Although many employees responsible for executing the business continuity plans are\ncognizant of the strategies that they would follow to recover operations, these key employees\nmight not be available after a disaster. Therefore, the IRS needs to be proactive and conduct\nthorough, upfront planning to protect its employees and to efficiently recover critical business\nprocesses and systems.\nMany of the business continuity plans lacked key details. Our review of 39 incident\nmanagement plans and 65 business resumption plans determined that the majority of the plans\nwere incomplete and did not provide assurance that the IRS could efficiently respond to the full\nrange of potential disasters or emergency incidents. Key details missing in the plans included\n1) the location of the Emergency Operations Center where the incident management team would\nmeet to begin addressing the emergency, and 2) procedures for recovering critical processes. We\nalso found instances of incomplete and inaccurate disaster recovery plans for several major tax\nprocessing systems.\nBusiness continuity plans were not routinely tested or were informally tested using tabletop\nexercises during which participants met and discussed the procedures they would follow.\nLessons learned from testing disaster recovery plans were not always documented. When the\nlessons learned were documented, subsequent testing did not ensure that the weaknesses were\nretested to determine whether the plan weaknesses had been corrected. Comprehensive testing is\nneeded to identify the gaps and weaknesses in the plans.\nThe absence of detailed planning information and inadequate testing are due to a lack of\ncross-functional coordination, leadership, and effective monitoring and oversight. Business\ncontinuity planning and testing require the involvement of many employees in virtually every\nIRS business unit, which increases the risk of insufficient planning and testing. Accountability\nfor carrying out those plans is difficult to enforce across the organization, and the\ninterdependence of the plans requires coordination to ensure that the plans are synchronized.\n\nRecommendations\nIn our prior reports, we made recommendations to improve the development and testing of the\nspecific business continuity plans. When those plans are viewed together, however, it is clear\nthat cross-functional coordination, leadership, and effective monitoring and oversight are needed\nto ensure the effectiveness of the IRS business continuity efforts.\n\n\n                                                                                                   2\n\x0c                         Better Emergency Preparedness Planning Could\n                               Improve Business Continuity Efforts\n\n\n\nWe recommended that the IRS Commissioner appoint an executive with cross-organizational\nauthority to oversee the IRS business continuity program. The executive should serve as the\nchairperson of the Emergency Management and Preparedness Executive Steering Committee.\nThis Committee is responsible for overseeing the business continuity plans. We also\nrecommended that the IRS Commissioner require the newly appointed executive to monitor and\nensure that comprehensive testing is conducted and documented for all four business continuity\nplans, ensure that weaknesses and gaps identified during testing are corrected and retested, and\nconsider testing plans concurrently as opposed to testing the plans separately.\n\nResponse\nIRS management agreed with the recommendations. The Emergency Management and\nPreparedness Executive Steering Committee is now chaired by the Chief, Agency-Wide Shared\nServices, who will direct and execute the cross-functional IRS-wide emergency management\nprogram. An executive has been appointed to lead the Physical Security and Emergency\nPreparedness Continuity Operations staff and focus exclusively on the oversight and\nenforcement of the continuity planning program. Lastly, the IRS will develop a Test and\nExercise Program that requires integrated exercises of all four business continuity plans. The\nProgram will require that exercises be scheduled and conducted with after-action reports and\nimprovement plans completed and documented. Management\xe2\x80\x99s complete response to the draft\nreport is included as Appendix V.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Acting Assistant Inspector General for Audit (Security and Information\nTechnology Services), at (202) 622-8510.\n\n\n\n\n                                                                                                   3\n\x0c                                    Better Emergency Preparedness Planning Could\n                                          Improve Business Continuity Efforts\n\n\n\n\n                                              Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 3\n          Redundant Operations and Experience With Major Disasters\n          Have Strengthened the Business Continuity Program ..................................Page 3\n          Cross-functional Coordination Is Needed to Improve Business\n          Continuity Planning and Testing ..................................................................Page 4\n                    Recommendations 1 and 2: ..............................................Page 10\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 12\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 13\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 14\n          Appendix IV \xe2\x80\x93 Recent Audit Reports on the Business Continuity\n          Program.........................................................................................................Page 15\n          Appendix V \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report .......................Page 21\n\x0c       Better Emergency Preparedness Planning Could\n             Improve Business Continuity Efforts\n\n\n\n\n               Abbreviations\n\nGAO      Government Accountability Office\nIRS      Internal Revenue Service\nPSEP     Physical Security and Emergency Preparedness\n\x0c                              Better Emergency Preparedness Planning Could\n                                    Improve Business Continuity Efforts\n\n\n\n\n                                            Background\n\nHomeland Security Presidential Directive-201 requires that Federal Government agencies\ndevelop business continuity plans to enable the recovery of critical functions after a disaster or\nemergency. To comply with the Directive, the Internal Revenue Service (IRS) must develop and\ncontinually update its business continuity plans to protect employees and recover critical\nbusiness processes, data, and information technology systems. Achieving continuity of\noperations in an organization as large as the IRS is challenging due to the wide range of incidents\nthat could occur, such as acts of nature, power outages, and terrorist attacks. The IRS must\nprotect more than 100,000 employees and contractors in more than 660 facilities located\nthroughout the nation.\nThe difficult planning that must be accomplished to continue IRS processes after a disaster is\nwarranted by the national and economic risks. A prolonged disruption could affect critical tax\nadministration processes such as collecting taxes and processing tax returns and refunds. In\nFiscal Year 2007, the IRS processed more than 235 million tax returns, collected almost\n$2.7 trillion in revenue, and issued 117 million refunds totaling $295 billion. Business\ncontinuity planning enables the IRS to have the ability to continue these critical business\nprocesses by providing a collection of strategies and plans that ensure that the IRS can efficiently\nrecover critical processes and systems during and/or after a disaster.\nIn an emergency, the IRS would execute one or more of the following business continuity plans\ndepending on the nature and severity of the incident:\n    1. Occupant emergency plan \xe2\x80\x93 This plan protects IRS employees and visitors in IRS\n       facilities. It provides instructions needed to safely evacuate people from a facility or\n       shelter them in place. This plan is the most significant because it protects lives. In\n       addition, some business continuity experts have concluded that if they can protect their\n       employees, they can eventually recover their business.\n    2. Incident management plan \xe2\x80\x93 This plan addresses the overall command structure that\n       would be implemented in the event of an emergency. The focus of the command team is\n       assessment, evaluation, coordination, and strategy development as events occur.\n    3. Business resumption plan \xe2\x80\x93 This plan is used to recover and restore disrupted business\n       processes in affected facilities. It identifies business processes, resumption strategies,\n       people, vital records, information technology systems, and other supporting assets.\n\n1\n National Continuity Policy, dated May 4, 2007 (also known as National Security Presidential Directive-51). This\nDirective establishes a comprehensive national policy on the continuity of Federal Government structures and\noperations.\n                                                                                                          Page 1\n\x0c                                Better Emergency Preparedness Planning Could\n                                      Improve Business Continuity Efforts\n\n\n\n      4. Disaster recovery plan \xe2\x80\x93 This plan is used to recover and restore disrupted information\n         technology systems and data. It identifies systems, procedures for recovering them, and\n         the process for restoring operations at an alternate site.\nThese four plans, called the Business Continuity \xe2\x80\x9cSuite of Plans,\xe2\x80\x9d are used to prepare for,\nrespond to, and recover from a disaster or emergency incident. The relationship among the four\nplans is represented in Figure 1.\n                Figure 1: Relationship Among IRS Business Continuity Plans\n\n\n\n\n     Source: The IRS Agency-Wide Shared Services organization. IT = Information Technology. BCP = Business\n     Continuity Program. OEP = Occupant Emergency Plan. IMP = Incident Management Plan. BRP = Business\n     Resumption Plan. DRP = Disaster Recovery Plan.\n\nWe recently completed reviews of each of these plans in three separate audits. The Government\nAccountability Office (GAO) has also performed a recent review of IRS emergency planning.\nThe recommendations and IRS management responses in the reports for these four audits were\nfocused on the development and testing of the specific business continuity plans.2\nThis report is a compilation of our review of the four prior audit reports. We performed this\nreview at the Treasury Inspector General for Tax Administration office in Dallas, Texas, during\nthe period May through October 2008. We conducted this performance audit in accordance with\ngenerally accepted government auditing standards. Those standards require we plan and perform\nthe audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings\nand conclusions based on our audit objective. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit objective. Detailed\ninformation on our audit objective, scope, and methodology is presented in Appendix I. Major\ncontributors to the report are listed in Appendix II.\n\n\n2\n    See report titles and summary information in Appendix IV.\n                                                                                                    Page 2\n\x0c                             Better Emergency Preparedness Planning Could\n                                   Improve Business Continuity Efforts\n\n\n\n\n                                     Results of Review\n\nRedundant Operations and Experience With Major Disasters Have\nStrengthened the Business Continuity Program\nThe IRS\xe2\x80\x99 ability to recover its critical processes is strengthened by its extensive redundant\noperations located in various functions throughout the nation. Each critical process is carried out\nat multiple locations, allowing the IRS to take advantage of its experienced workforce and\nsimilarly situated facilities where work could be redirected. The IRS should also be able to\nbenefit from its experience in recovering from previous disasters and emergency incidents. For\nexample:\n    \xe2\x80\xa2   On June 25, 2006, the IRS National Headquarters building flooded during a period of\n        record rainfall and sustained extensive damage to its infrastructure. IRS officials\n        reported activating several of the agency\xe2\x80\x99s emergency operations plans. The GAO\n        review of IRS recovery efforts showed that while the IRS plans helped guide its response\n        to the flood, in more severe emergency events, conditions could be less favorable to\n        recovery.3\n    \xe2\x80\xa2   Hurricane Katrina made landfall on August 29, 2005. It caused unprecedented damage to\n        New Orleans, Louisiana, as well as the coastal areas of Mississippi and Alabama.\n        Hurricane Rita followed less than 1 month later and further damaged New Orleans and\n        the Gulf Coast area of Texas. The IRS had 25 offices affected by the Hurricanes, many\n        of which were closed for short durations due to sustained power outages. Five offices\n        received significant damage, which forced closure for longer periods of time. By taking\n        aggressive actions after the storms, the IRS was able to relocate its employees and restore\n        its operations.\n    \xe2\x80\xa2   In 2001 and 2002, a number of government offices received mail or packages that\n        seemed to contain the anthrax virus. While no IRS facility received mail that actually\n        contained anthrax, mail-handling procedures were upgraded to address this possibility.\n        For example, mail rooms in all facilities were isolated, self-contained ventilation systems\n        were installed at all campus4 mail rooms so that the rooms could be shut off from the\n        remainder of the facilities, and hazardous material training and protective equipment\n        were provided to pertinent employees.\n\n\n3\n See report listed in Appendix IV.\n4\n Campuses are the data processing arm of the IRS. The campuses process paper and electronic submissions, correct\nerrors, and forward data to the Computing Centers for analysis and posting to taxpayer accounts.\n                                                                                                        Page 3\n\x0c                             Better Emergency Preparedness Planning Could\n                                   Improve Business Continuity Efforts\n\n\n\nCross-functional Coordination Is Needed to Improve Business\nContinuity Planning and Testing\n\nPlanning efforts have not been sufficient to ensure efficient recovery from an\nemergency\nWhile the IRS\xe2\x80\x99 redundant operations and experiences with disasters should enable it to recover\nits critical processes, complete and adequate business continuity plans are needed to ensure that\nthe recovery is as quick and efficient as possible. Based on our prior audits, we concluded that\nthe IRS occupant emergency plans have been more thoroughly developed than the other business\ncontinuity plans. We reviewed occupant emergency plans for 15 facilities in which the IRS was\nthe primary tenant and, therefore, was responsible for preparing the plans. The plans were\ncurrent and adequately identified the key personnel, including the alternates responsible for the\nfacilities\xe2\x80\x99 evacuation in the event of an emergency. The plans also contained facility-specific\nemergency contact information and a general description of the facility characteristics.\nAlthough occupant emergency plans contained detailed planning information, the IRS\xe2\x80\x99 other\nbusiness continuity planning efforts have not been sufficient to ensure that critical business\nprocesses and systems are efficiently restored in the event of a disaster. We found a majority of\nthe incident management, business resumption, and disaster recovery plans lacked detailed\nplanning information and recovery strategies. The GAO also found gaps in the incident\nmanagement plans and business resumption plans.5 It reported that IRS business continuity plans\ndo not provide assurance that the IRS could respond to the full range of potential disruptions.\nMissing planning information could result in confusion, duplication of efforts, and a breakdown\nin communication if IRS staff relied on the plans. In an emergency incident, such as a terrorist\nattack or natural disaster, we believe that these deficiencies could result in delays in recovering\ncritical business processes.\nIncident management plans\nThe purpose of an incident management plan is to designate, in advance, the specific personnel\nand command structure to be activated in the event of an incident such as a hurricane, flood, or\nterrorist act. A critical component of this process is the establishment of an Emergency\nOperations Center where the incident management team will meet to begin addressing the\nemergency. The focus of this team is assessment, evaluation, coordination, and strategy\ndevelopment as events occur.\n\n\n\n5\n See report listed in Appendix IV. The GAO reviewed the incident management plan for the IRS Headquarters\nOffice in Washington, D.C. This building houses more than 2,200 of the IRS\xe2\x80\x99 estimated 104,000 employees. The\nGAO also reviewed the business resumption plans for the Wage and Investment Division, the Criminal Investigation\nDivision, and the Office of Chief Counsel.\n                                                                                                        Page 4\n\x0c                              Better Emergency Preparedness Planning Could\n                                    Improve Business Continuity Efforts\n\n\n\nOur review of the incident management plans for 39 randomly selected facilities determined that\nthe plans did not always include the information necessary to effectively respond to emergencies.\nSpecifically:\n    \xe2\x80\xa2   The locations of the primary Emergency Operations Center and/or the backup facility\n        were not identified in 28 (72 percent) of the plans we evaluated.\n    \xe2\x80\xa2   An alternate to the Incident Commander,6 in the event he or she is unavailable, was not\n        identified in 16 (41 percent) of the plans we evaluated. In addition, a backup for one or\n        more other key incident management team personnel was not identified in\n        32 (82 percent) of the plans.\n    \xe2\x80\xa2   An Initial Incident Commander, who would manage the response to an emergency until\n        the Incident Commander could take over, was not identified in 12 (34 percent) of the\n        35 facilities we sampled where the Incident Commander was not physically located in the\n        building. For example, at one site we reviewed, the Incident Commander was located\n        more than 200 miles from the facility.\n    \xe2\x80\xa2   A general description of the nature of the IRS business functions located at the site and\n        complete and current contact information for the applicable functional Business\n        Resumption Coordinators were not included in 33 (85 percent) of the plans we evaluated.\n    \xe2\x80\xa2   Key elements of the incident management plan for the IRS Headquarters office were not\n        addressed or were addressed only in part. For example, the GAO noted that although the\n        plan listed the critical business processes in priority order, it did not establish recovery\n        time objectives for the critical processes.\nBusiness resumption plans\nA business resumption plan should include the advance planning and preparations necessary to\nminimize loss and ensure the continuity of critical business processes. The pre-determined set of\ninstructions and procedures that describe how business processes will be restored should be\ndocumented in the plan. A complete business resumption plan should include details such as a\nlist and description of critical business processes that are conducted by the business function at\nthe site; procedures for recovering each of the critical processes and sub-processes; other\nlocations that perform the same business processes as those performed at the site covered by the\nplan; vital records needed by employees to perform their duties; and the amount of space,\nfurniture, and other needs (e.g., copiers, printers, and fax machines).\n\n\n\n\n6\n In general, the area Senior Commissioner Representative is the Incident Commander for the IRS field offices. The\nIRS has 15 Senior Commissioner Representatives located throughout the nation.\n                                                                                                         Page 5\n\x0c                              Better Emergency Preparedness Planning Could\n                                    Improve Business Continuity Efforts\n\n\n\nMost of the business resumption plans we evaluated were not adequately completed and would\nnot facilitate the efficient recovery of critical IRS business processes. Our review of 65 business\nresumption plans determined that the plans did not:\n    \xe2\x80\xa2   Include procedures for recovering each of the critical processes and sub-processes\n        described in the business resumption plan \xe2\x80\x93 16 plans (25 percent).\n    \xe2\x80\xa2   Document other locations that perform the same critical business processes and\n        sub-processes as those performed at the site covered by the plan \xe2\x80\x93 43 plans (66 percent).\n    \xe2\x80\xa2   Identify the vital records needed by the employees to perform their duties \xe2\x80\x93 13 plans\n        (20 percent). Some business resumption team leaders informed us that they had no vital\n        records. Others stated that their vital records were electronic and accessible through the\n        IRS network. However, the business resumption plans did not document these key\n        details and recovery strategies.\n    \xe2\x80\xa2   Document the amount of space, furniture, and equipment (e.g., copiers, printers, and fax\n        machines) that would be required at the alternate facility \xe2\x80\x93 25 plans (38 percent).\nDisaster recovery plans\nA disaster recovery plan should define the detailed tasks needed to recover the information\ntechnology systems, including the network, hardware, and software applications. The employees\nwho restore the systems should be able to follow the detailed tasks in the plan exactly as they are\nwritten. This is important because the employees with the institutional knowledge of how to\nrestore the systems might not be available after a disaster.\nThe IRS has more than 240 systems, each of which is owned by a business unit or the\nModernization and Information Technology Services organization. Responsibility for\nmaintaining a disaster recovery plan lies with the system owner. However, we determined that\nthe system owners have not included sufficient details in their disaster recovery plans and have\nnot kept the plans updated.\nIn a March 2004 audit,7 we determined that the Master File8 Disaster Recovery Plan was not\ndetailed enough to be used verbatim to react to a worst-case scenario. We also found that the\nPlan was not reviewed quarterly and updated as needed. The Chief Information Officer agreed\nwith our findings and, in December 2004, reported that corrective actions had been taken to\naddress these weaknesses. However, our followup review9 in February 2008 found the same\nweaknesses.\n\n7\n  The Master File Disaster Recovery Exercise Was Completed, but Significant Vulnerabilities Should Be Addressed\n(Reference Number 2004-20-053, dated March 2004).\n8\n  The IRS database that stores various types of taxpayer account information. This database includes individual,\nbusiness, and employee plans and exempt organizations data.\n9\n  See Report 1 in Appendix IV.\n                                                                                                         Page 6\n\x0c                             Better Emergency Preparedness Planning Could\n                                   Improve Business Continuity Efforts\n\n\n\nOur followup review determined that quarterly reviews of the Master File Disaster Recovery\nPlan were not performed. In addition, while our observation of the Master File disaster recovery\ntest determined that test participants were using the Master File Disaster Recovery Plan, our\nobservation of one other mainframe disaster recovery test determined that recovery site\npersonnel used a combination of the Disaster Recovery Exercise Plan (because a disaster\nrecovery plan was not available) and individual reference materials they had brought to the\nexercise to recover the system(s).\nIn addition, our followup review determined that the disaster recovery plans of several\nsignificant tax processing systems were not updated in a timely manner. The five-volume\ndisaster recovery plan for the Service Center Mainframe Consolidation was dated in 2006, with\ntwo of the volumes dated as early as March 2006; the disaster recovery plan for a major tax\nprocessing system was dated September 2004; and one disaster recovery document (previously\nshown to be named a Technical Contingency Planning Document) was dated December 6, 2001.\n\nBusiness continuity plans were not routinely tested\nHomeland Security Presidential Directive-20 requires Federal Government agencies to conduct\nannual tests of business continuity plans. To comply with this Directive and other directives\nfrom the Department of Homeland Security,10 the Physical Security and Emergency Preparedness\n(PSEP) office provided testing guidance to the IRS business functions. Testing is critical to\nensure the viability of the business continuity plans. In many ways, testing validates the\nrecovery strategies, assumptions, and procedures against likely disasters or emergency events.\nThe gaps and weaknesses in the various plans should be identified and corrected during\ncomprehensive testing. Plans that are not tested might prevent the IRS from efficiently\nrecovering its critical processes and systems.\nGenerally, five types of tests can be conducted to assess business continuity plans:11\nInformal Testing:\n     1. Checklist test \xe2\x80\x93 This test involves reviewing the plan for content, completeness, and\n        adherence to criteria.\n     2. Tabletop test \xe2\x80\x93 The participants in the testing exercise meet and verbally describe what\n        activities, procedures, and tasks they would follow.\n\n\n\n\n10\n   Homeland Security Presidential Directive-5, Management of Domestic Incidents; Homeland Security Presidential\nDirective-7, Critical Infrastructure Identification, Prioritization, and Protection; and Homeland Security\nPresidential Directive-8, National Preparedness.\n11\n   Akhtar Syed and Afsar Syed, Business Continuity Planning Methodology (Mississauga, Ontario, Canada:\nSentryx, 2004), 203-213.\n                                                                                                        Page 7\n\x0c                             Better Emergency Preparedness Planning Could\n                                   Improve Business Continuity Efforts\n\n\n\nComprehensive Testing:\n     3. Parallel test \xe2\x80\x93 This type of test evaluates the recovery of processes at alternate sites\n        without disrupting operations at the normal work site.\n     4. Simulation test \xe2\x80\x93 This test is a combination of simulations and actual operations transfers\n        and might require some units to cease operations for the test period.\n     5. Full-interruption test \xe2\x80\x93 The organization activates all components of the business\n        resumption plan.\nDuring our fieldwork, we noted some improvements in the testing of occupant emergency plans.\nThe PSEP office initiated new procedures to improve training exercises. An emergency\nevacuation checklist was developed to document the results of evacuation tests conducted after\nAugust 1, 2008. The checklist will be used to document issues such as whether employees\nquickly exited the building, alarms worked properly, evacuation team members knew their roles,\nand employees reported to their assigned assembly areas. The overall process for monitoring\nevacuation tests is also being improved by better defining roles and responsibilities at each level\nof involvement and by developing a methodology to track completion of the tests. These new\nprocedures are scheduled to take effect during the first quarter of Fiscal Year 2009.\nDuring our reviews, we found that many of the business continuity plans were not tested. For\nthe plans that were tested, the scope of testing usually consisted of a tabletop exercise.\nSpecifically:\n     \xe2\x80\xa2   Occupant evacuation testing was not performed in Calendar Year 2007 in 5 (33 percent)\n         of 15 buildings we evaluated. Where emergency testing was performed, key test results,\n         such as whether employees were evacuated in a timely manner, disabled employees were\n         properly evacuated, employees properly reported to their assigned assembly areas, and\n         alarms functioned properly, were generally not recorded. In an emergency, a properly\n         tested occupant emergency plan can reduce threats to the safety of IRS employees.\n     \xe2\x80\xa2   An incident management plan exercise was not performed during either Fiscal Year 2006\n         or Fiscal Year 2007 at 3 (50 percent) of 6 IRS facilities with 250 or more employees that\n         we evaluated. The three facilities where an exercise was not performed included two\n         large field offices and a Computing Center.12 We also found that where exercises were\n         performed, detailed documentation regarding the test scope, deficiencies identified, and\n         actions taken to address those deficiencies was not maintained in two of the three sites.\n         As a result, the benefit of information accrued from these tests is not available to assist\n         the IRS in its efforts to improve its incident readiness.\n\n\n\n12\n   IRS Computing Centers support tax processing and information management through a data processing and\ntelecommunications infrastructure.\n                                                                                                       Page 8\n\x0c                          Better Emergency Preparedness Planning Could\n                                Improve Business Continuity Efforts\n\n\n\n   \xe2\x80\xa2   The IRS business units had not tested 35 (54 percent) of the 65 business resumption plans\n       during Calendar Year 2007. For the 30 plans that were tested, the scopes of the tests\n       consisted of tabletop exercises. Participants, such as a Senior Commissioner\n       Representative, a site coordinator, and a business resumption team leader, met and\n       discussed how they would handle various emergencies or disasters. This type of testing\n       is insufficient to identify gaps, omissions, and weaknesses in the plans. In addition, the\n       results and weaknesses identified during the tests were not documented.\n   \xe2\x80\xa2   The lessons learned from testing disaster recovery plans were not always documented.\n       When the lessons learned were documented, subsequent testing did not ensure that the\n       weaknesses were retested to determine whether the plan weaknesses had been corrected.\nManagement Action: Subsequent to completion of our audit fieldwork, the IRS advised us that\nlessons learned from disaster recovery tests are now being documented and weaknesses\nidentified in previous testing are now being retested in subsequent test exercises. The IRS also\ninformed us that it had updated its procedures for retesting vulnerabilities identified in previous\ntesting. We plan to follow up on these corrective actions in future reviews.\nIn our prior reports, we made recommendations to improve the development and testing of the\nspecific business continuity plans. When those plans are viewed together, however, it is clear\nthat cross-functional coordination, leadership, and effective monitoring and oversight are needed\nto ensure the effectiveness of the IRS business continuity efforts.\nFirst, the numbers of persons and organizations involved in these efforts increase the risk that\nplanning and testing will not be adequate. While the PSEP office is responsible for providing\nguidance regarding occupant emergency, incident management, and business resumption plans,\nthe guidance must be used in preparing and testing the plans by all IRS business functions, and\nthe guidance must address employee safety and critical business processes that are carried out in\nmore than 660 facilities. The Modernization and Information Technology Services organization\nis responsible for developing and testing disaster recovery plans.\nSecond, accountability for carrying out business continuity responsibilities is difficult to enforce\nacross organizational lines. For example, the PSEP office provided a comprehensive template\nfor planning and completing a business resumption plan. However, our prior review of these\nplans determined that 12 different templates were used by the 8 IRS business functions that we\nevaluated. Some functions used different templates within their own organizations. Conflicting\npriorities and budget concerns in the business functions contributed to noncompliance with the\nPSEP guidance, as did a lack of emphasis on testing. The PSEP office did not enforce its\nguidance across organizational lines. Also, the Emergency Management and Preparedness\nExecutive Steering Committee, which consists of executives from several business units and is\nresponsible for overseeing the business continuity plans, has not taken an active role in\ncoordinating business continuity efforts. As of July 2008, this Committee had met only once\nsince its inception in August 2005. The lack of regular meetings by the Emergency Management\n\n                                                                                             Page 9\n\x0c                          Better Emergency Preparedness Planning Could\n                                Improve Business Continuity Efforts\n\n\n\nand Preparedness Executive Steering Committee was reported in our audit of the IRS business\nresumption plans.\nFinally, the business continuity plans are interrelated. For example, business processes cannot be\nresumed without computer systems that support those processes. Consequently, business\nresumption plans must be synchronized with disaster recovery plans.\nManagement Actions: Subsequent to completion of our audit fieldwork, the IRS advised us that\nthe PSEP office has augmented the program by assigning to the emergency management staff an\nexecutive whose sole focus is to oversee and enforce the business continuity requirements.\nHowever, we believe that the IRS Commissioner should appoint an executive with\ncross-organizational authority to oversee the business continuity program. In addition, on\nNovember 25, 2008, after completion of our fieldwork on this audit and 3 months after we\ncompleted our fieldwork for the audit of business resumption plans, the IRS provided several\ndocuments related to Emergency Management and Preparedness Executive Steering Committee\nmeetings. However, due to the IRS\xe2\x80\x99 untimely submission of these documents, we were unable to\nreview them.\n\nRecommendations\nRecommendation 1: To ensure that compliance with business continuity guidance is\nenforced across organizational lines and because of the interrelationships among business\ncontinuity plans, the IRS Commissioner should appoint an executive with cross-organizational\nauthority to oversee the IRS business continuity program. The executive should serve as the\nchairperson of the Emergency Management and Preparedness Executive Steering Committee.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The\n       Emergency Management and Preparedness Executive Steering Committee is now chaired\n       by the Chief, Agency-Wide Shared Services, who will direct and execute the\n       cross-functional IRS-wide emergency management program. An executive has been\n       appointed to lead the PSEP Continuity Operations staff and focus exclusively on the\n       oversight and enforcement of the continuity planning program.\nRecommendation 2: The IRS Commissioner should require the executive responsible for\nbusiness continuity planning to monitor and ensure that comprehensive testing is conducted and\ndocumented for all four business continuity plans. The testing should ensure that weaknesses\nand gaps identified during testing are corrected and retested during subsequent test exercises.\nBecause guidance for complete recovery can be found in multiple plans, consideration should be\ngiven to testing plans concurrently as opposed to testing the plans separately.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. A Test and\n       Exercise Program is being developed that will require integrated exercises of all four\n       business continuity plans. The Program will require that exercises be scheduled and\n\n                                                                                          Page 10\n\x0c                  Better Emergency Preparedness Planning Could\n                        Improve Business Continuity Efforts\n\n\n\nconducted, with after-action reports and improvement plans completed and documented.\nA copy of the exercise schedules and after-action reports and improvement plans will be\nforwarded to the PSEP Continuity Operations Program Office for review of lessons\nlearned, trend analysis, and best practices.\n\n\n\n\n                                                                                Page 11\n\x0c                                 Better Emergency Preparedness Planning Could\n                                       Improve Business Continuity Efforts\n\n\n\n                                                                                   Appendix I\n\n            Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether the IRS business continuity\nprogram ensures that employees can be protected and critical business processes and computer\nsystems can be efficiently recovered during and after a disaster or emergency incident. The IRS\nuses a combination of four integrated plans called the Business Continuity \xe2\x80\x9cSuite of Plans\xe2\x80\x9d to\nprepare for, respond to, and recover from an incident or emergency. These plans include the\noccupant management plan, incident management plan, business resumption plan, and disaster\nrecovery plan. We have previously conducted reviews of the business continuity plans in three\nseparate audits. The GAO has also performed a recent review of IRS emergency planning.1 This\nreport presents our overall assessment of the IRS business continuity program based on results\npresented in those reports.\nTo accomplish the audit objective, we reviewed and summarized the results of our three prior\naudits that covered each of the four types of business continuity plans and the audit conducted by\nthe GAO on IRS emergency planning.\n\n\n\n\n1\n    See reports listed in Appendix IV.\n                                                                                          Page 12\n\x0c                         Better Emergency Preparedness Planning Could\n                               Improve Business Continuity Efforts\n\n\n\n                                                                               Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Acting Assistant Inspector General for Audit (Security and Information\nTechnology Services)\nStephen Mullins, Director\nWilliam A. Gray, Audit Manager\nMichelle Griffin, Senior Auditor\n\n\n\n\n                                                                                       Page 13\n\x0c                        Better Emergency Preparedness Planning Could\n                              Improve Business Continuity Efforts\n\n\n\n                                                                           Appendix III\n\n                         Report Distribution List\n\nOffice of the Commissioner \xe2\x80\x93 Attention: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Commissioner for Services and Enforcement SE\nCommissioner, Large and Mid-Size Business Division SE:LM\nCommissioner, Small Business/Self-Employed Division SE:S\nCommissioner, Tax Exempt and Government Entities Division SE:T\nCommissioner, Wage and Investment Division SE:W\nChief, Appeals AP\nChief, Communications and Liaison CL\nChief, Equal Employment Opportunity and Diversity EEO\nDirector, Office of Research, Analysis, and Statistics RAS\nChief, Agency-Wide Shared Services OS:A\nChief, Criminal Investigation SE:CI\nChief Financial Officer OS:CFO\nChief Human Capital Officer OS:HC\nChief Information Officer OS:CIO\nChief Technology Officer OS:CTO\nDirector, Office of Professional Responsibility SE:OPR\nDirector, Whistleblower Office SE:WO\nDirector, Employee Support Services, Agency-Wide Shared Services OS:A:ESS\nDirector, Information Technology Security OS:MA:IT\nDirector, Physical Security and Emergency Preparedness, Agency-Wide Shared Services,\nOS:A:PSEP\nDirector, Computer Security Incident Response Center and Information Technology Systems\nDisaster Recovery OS:MA:IT:C\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Chief, Agency-Wide Shared Services OS:A\n       Chief Information Officer OS:CIO\n\n\n\n                                                                                   Page 14\n\x0c                           Better Emergency Preparedness Planning Could\n                                 Improve Business Continuity Efforts\n\n\n\n\n                                                                                    Appendix IV\n\n                       Recent Audit Reports on the\n                       Business Continuity Program\n\nThis appendix presents information on Treasury Inspector General for Tax Administration and\nGAO reviews of the IRS business continuity program.\nIn Fiscal Year 2008, we conducted three separate audits of four areas of IRS business continuity\nplanning and issued the following reports:\n1. Disaster Recovery Issues Have Not Been Effectively Resolved, but Progress Is Being Made\n   (Reference Number 2008-20-061, dated February 29, 2008).\n2. Emergency Preparedness at Internal Revenue Service Facilities Needs to Be Improved\n   (Reference Number 2008-10-148, dated September 17, 2008).\n3. Weaknesses in Business Resumption Plans Could Delay Recovery From a Disaster\n   (Reference Number 2008-20-178, dated September 17, 2008).\nIn Fiscal Year 2007, the GAO conducted a review of IRS emergency planning and issued the\nfollowing report:\nIRS Emergency Planning: Headquarters Plans Supported Response to 2006 Flooding, but\nAdditional Guidance Could Improve All Hazard Preparedness (GAO-07-579, dated\nApril 2007).\n\nRecommendations from our reviews and management\xe2\x80\x99s responses to the\nrecommendations\n1) Disaster Recovery Issues Have Not Been Effectively Resolved, but Progress Is Being Made\n(Reference Number 2008-20-061, dated February 29, 2008). This report contained six\nrecommendations related to the IRS disaster recovery program.\nRecommendation 1: The Chief Information Officer should ensure all disaster recovery plan\ndocumentation is standardized, complete, accurate, readily accessible in the event of disaster\n(e.g., from offsite storage and designated electronic file library locations), detailed enough to be\nused verbatim to react to a worst-case scenario, and reviewed quarterly.\nManagement\xe2\x80\x99s Response to Recommendation 1: IRS management plans to evaluate and revise\nall existing disaster recovery plan documentation and templates used to perform and coordinate\ndisaster recovery-related activities; ensure all plan documentation is standardized, accurate,\ncomprehensive, appropriately detailed, up to date, and written in a clear, cohesive format; ensure\nplan documentation includes all relevant Federal Government guidance and all other critical\n                                                                                             Page 15\n\x0c                              Better Emergency Preparedness Planning Could\n                                    Improve Business Continuity Efforts\n\n\n\ninformation needed to perform disaster recovery-related activities; perform a comprehensive\ninventory analysis audit to ensure the accessibility and availability of all plan documentation and\nthat the appropriate offsite storage and retrieval procedures are in place; and research a\nweb-based centralized repository tool for maintaining disaster recovery documentation in a\nsecure and readily accessible manner.\nRecommendation 2: The Chief Information Officer should ensure effective completion of tasks\nas required in disaster recovery guidance incorporated in the Internal Revenue Manual1 from the\nOffice of Management and Budget, National Institute of Standards and Technology,2 and the\nFederal Information Security Management Act.3\nManagement\xe2\x80\x99s Response to Recommendation 2: IRS management plans to develop a\ncomprehensive disaster recovery Internal Revenue Manual and ensure all program-related\ndocumentation adheres to and complies with all relevant Federal Government guidance. In\naddition, management will ensure effective completion of tasks as required in Internal Revenue\nManual disaster recovery guidance through the embedded Compliance function within the\nCybersecurity organization\xe2\x80\x99s Disaster Recovery organization. Management will also provide\nstatus reports on each of the disaster recovery recommendations through bi-monthly meetings\nwith the Deputy Commissioner for Operations Support.\nRecommendation 3: The Chief Information Officer should ensure offsite storage vendors can\ntimely deliver all disaster recovery backup files and documentation to the disaster recovery site\nusing announced, unannounced, and actually planned tests.\nManagement\xe2\x80\x99s Response to Recommendation 3: IRS management plans to implement a\ndocumented repeatable process during the 2007-2008 annual Federal Information Security\nManagement Act reporting period that includes an Information Technology Contingency\nPlan/Disaster Recovery Test Guide and Checklist. Management also plans to direct test\nparticipants to provide evidence of the recovery backup files\xe2\x80\x99 delivery and actual time frame for\ndelivery. Business/System owners will update the Checklist with the results of the exercises and\nenter findings into the application/General Support Systems Plans of Action and Milestones.\nThe completed Checklist will validate completion of the Tabletop Exercise and Functional Test\n\n\n\n\n1\n  The Internal Revenue Manual contains the policies, procedures, instructions, guidelines, and delegations of\nauthority which direct the operation and administration of the IRS.\n2\n  The National Institute of Standards and Technology, under the Department of Commerce, is responsible for\ndeveloping standards and guidelines for providing adequate information security for all Federal Government agency\noperations and assets.\n3\n  Part of the E Government Act of 2002, Pub. L. No. 107-347, Title III, Section 301 (2002). The Federal\nInformation Security Management Act includes protecting information and information systems from unauthorized\naccess, use, disclosure, or modification, including controls for disclosure and confidentiality to protect personal\nprivacy.\n                                                                                                          Page 16\n\x0c                               Better Emergency Preparedness Planning Could\n                                     Improve Business Continuity Efforts\n\n\n\nand document findings. It will then be loaded into Trusted Agent Federal Information Security\nManagement Act as the artifact verifying the results of the exercise/test.4\nRecommendation 4: The Chief Information Officer should ensure appropriate disaster recovery\nsite personnel are identified and provided with annual training to ensure they have the ability to\nimplement the disaster recovery plan in the event production site personnel are not available\nduring a disaster.\nManagement\xe2\x80\x99s Response to Recommendation 4: IRS management plans to develop a\ncomprehensive disaster recovery specific training curriculum; develop a specialized training\ncourse to address specific training requirements in various disaster recovery disciplines such as\ntesting, plan development, business impact assessment, and compliance, and train all individuals\nwho have disaster recovery responsibilities; initiate a site-to-site cross-training skill set\nevaluation and training program to ensure critical skill sets reside in a specific location,\nresponsible individuals receive training, and skill sets are replicated in other locations; and\ndevelop a database as training is completed to provide an assessment report to management for\nuse in evaluating training progress, qualified personnel, and skill set risks.\nRecommendation 5: The Chief Information Officer should ensure that disaster recovery exercise\nlessons learned or action items deemed as critical are included in subsequent exercises.\nManagement\xe2\x80\x99s Response to Recommendation 5: IRS management plans to develop a repeatable\nprocess to ensure subsequent exercises include lessons learned or action items deemed as critical.\nAs all Information Technology Contingency Plans and disaster recovery plans are exercised and\ntested, test participants will follow a formal Checklist to ensure documentation of\nsystem/organizational changes or problems encountered during plan implementation, execution,\nor testing. If more critical problems are found, Summary Findings will note where corrective\nactions and findings are documented for viewing and analysis by the Designated Approving\nAuthority. Management also plans to develop a process for entering these findings in the\napplication/General Support Systems Plans of Action and Milestones for monitoring and\ntraining, and require the Designated Approving Authority to sign the Checklist validating that the\nTabletop Exercise and Functional Test have been completed and findings documented.\nRecommendation 6: The Chief Information Officer should ensure a permanent file is established\nfor keeping documentation supporting closure of prior recommended corrective actions and\ncompletion of material weakness corrective action plan components related to the Information\nTechnology Contingency Planning material weakness.\n\n\n\n4\n  The Trusted Agent Federal Information Security Management Act is an automated management tool that maintains\nFederal Information Security Management Act reporting data for application systems and their associated corrective\nactions. It captures and tracks security weaknesses and associated corrective milestones; and collects, processes and\nstores self-assessment information, as required under the Federal Information Security Management Act.\n                                                                                                           Page 17\n\x0c                             Better Emergency Preparedness Planning Could\n                                   Improve Business Continuity Efforts\n\n\n\nManagement\xe2\x80\x99s Response to Recommendation 6: IRS management established the\nModernization and Information Technology Services organization\xe2\x80\x99s Information Technology\nDisaster Recovery organization. The responsibilities of this program office include validating all\nclosure activities for corrective actions and collecting and maintaining all documentation that\nsupports closure and/or mitigation of all correction actions, material weaknesses, and any\noutstanding year-to-year weaknesses remediation recommendations. Management also\nestablished a process using project management schedules, work breakdown structures, and\ncross-functional correspondence that enables this office to provide management with a more\neffective assessment of material weakness remediation progress for disaster recovery.\n2) Emergency Preparedness at Internal Revenue Service Facilities Needs to Be Improved\n(Reference Number 2008-10-148, dated September 17, 2008). This report contained three\nrecommendations related to the IRS incident management and occupant emergency plans.\nRecommendation 1: The Chief, Agency-Wide Shared Services, should revise the IRS\xe2\x80\x99 current\nincident management plan template and associated instructions to 1) better emphasize the need to\nensure both primary and backup Emergency Operations Center locations are specified, backups\nare specified for all key incident management staff, an initial Incident Commander is identified\nwhere appropriate, a general description of the nature of IRS business functions located at the\nsite is listed, and complete and current contact information for the applicable functional Business\nResumption Coordinators is specified, and 2) require that all incident management plans be\nperiodically reviewed to ensure that they are complete and accurate.\nManagement\xe2\x80\x99s Response to Recommendation 1: The IRS plans to revise the incident\nmanagement plan template and procedures to incorporate the elements outlined in this\nrecommendation.\nRecommendation 2: The Chief, Agency-Wide Shared Services, should develop procedures\nrequiring that 1) all significant IRS sites, including Computing Centers,5 perform incident\nmanagement plan exercises on a routine basis, and 2) the results of these exercises, including any\nplan weaknesses identified, be documented to facilitate an ongoing agency-wide analysis of\ntrends and best practices.\nManagement\xe2\x80\x99s Response to Recommendation 2: The IRS plans to develop criteria for a\nmulti-year testing, training, and exercise strategy consistent with Federal Government continuity\ndirectives that will address action item followups and/or lessons learned.\nRecommendation 3: The Chief, Agency-Wide Shared Services, should consider developing a\ntemplate to record the key results of occupant emergency plans evaluation testing, such as, the\ntime to complete the evaluation, whether employees properly reported to assigned assembly\nareas, and whether alarms functioned properly.\n\n5\n  IRS Computing Centers support tax processing and information management through a data processing and\ntelecommunications infrastructure.\n                                                                                                     Page 18\n\x0c                          Better Emergency Preparedness Planning Could\n                                Improve Business Continuity Efforts\n\n\n\n\nManagement\xe2\x80\x99s Response to Recommendation 3: The IRS has developed a comprehensive\nchecklist to capture and record site evaluations. In addition, a structured process for monitoring\nevacuations and fire drills will be defined and implemented.\n3) Weaknesses in Business Resumption Plans Could Delay Recovery From a Disaster\n(Reference Number 2008-20-178, dated September 17, 2008). The report contained four\nrecommendations related to the IRS business resumption plans.\nRecommendation 1: The Chief, Agency-Wide Shared Services, should instruct business units\nwith a significant number of sites to establish a business resumption coordinator position to\n1) perform a quality review of each business resumption plan prepared by the business\nresumption team leader at a site within the function, and 2) create and maintain a repository in\neach business unit to account for and control business resumption plans.\nManagement\xe2\x80\x99s Response to Recommendation 1: IRS management will coordinate the\nestablishment of full-time business coordinator positions, as appropriate, to enhance the business\nunit continuity program.\nRecommendation 2: The Chief, Agency-Wide Shared Services, should require all business\nfunctions to use the PSEP office business resumption plan templates and require all functions\xe2\x80\x99\nbusiness resumption coordinators to periodically brief the Emergency Management and\nPreparedness Executive Steering Committee on the completeness and adequacy of the business\nresumption plans.\nManagement\xe2\x80\x99s Response to Recommendation 2: IRS management will direct the use of\nstandardized continuity templates developed by the PSEP office. In addition, the Emergency\nManagement and Preparedness Executive Steering Committee will receive periodic briefings\nfrom select business coordinators.\nRecommendation 3: The Chief, Agency-Wide Shared Services, should develop specific testing\nrequirements and procedures for business resumption plans based on risk. Critical processes\nsuch as those we reviewed should be tested using comprehensive testing techniques such as\nparallel, simulation, or full-interruption tests.\nManagement\xe2\x80\x99s Response to Recommendation 3: IRS management will develop criteria for a\nmulti-year testing, training, and exercise strategy. This strategy will be consistent with Federal\nGovernment continuity directives.\nRecommendation 4: The Chief, Agency-Wide Shared Services, should instruct the Emergency\nManagement and Preparedness Executive Steering Committee to 1) require business units to plan\nand conduct testing, document test results, and update business resumption plans annually, and\n2) monitor testing activities conducted by the business units to ensure that the scopes of tests are\nsufficient to identify gaps and weaknesses in the plans.\n\n                                                                                            Page 19\n\x0c                              Better Emergency Preparedness Planning Could\n                                    Improve Business Continuity Efforts\n\n\n\nManagement\xe2\x80\x99s Response to Recommendation 4: IRS management will develop a multi-year\ntesting, training, and exercise strategy that is consistent with Federal Government continuity\ndirectives.\n\nRecommendations from a GAO review and management\xe2\x80\x99s responses to the\nrecommendations\nIRS Emergency Planning: Headquarters Plans Supported Response to 2006 Flooding, but\nAdditional Guidance Could Improve All Hazard Preparedness (GAO-07-579, dated\nApril 2007).\nTo strengthen the ability of the IRS to respond to the full range of potential disruptions to\nessential operations, the GAO made the following two recommendations to the IRS\nCommissioner:\nRecommendation 1: Revise IRS internal emergency planning guidance to fully reflect Federal\nguidance on the elements of a viable continuity capability, including the identification and\nprioritization of essential functions; the preparation of necessary resources and alternate\nfacilities; and the regular completion of tests, training, and exercises of continuity capabilities.\nManagement\xe2\x80\x99s Response to Recommendation 1: The IRS will:\n    \xe2\x80\xa2   Conduct a thorough gap analysis between Federal Preparedness Circular 65 elements and\n        business continuity planning guidance.6\n    \xe2\x80\xa2   Update the Internal Revenue Manual guidance and business resumption plan templates to\n        reflect areas of improvement resulting from the gap analysis.\n    \xe2\x80\xa2   Formally direct annual tests, training, and exercises of business resumption plans through\n        the agency\xe2\x80\x99s Emergency Management and Preparedness Steering Committee.\nRecommendation 2: Revise IRS emergency plans in accordance with the new internal guidance.\nManagement\xe2\x80\x99s Response to Recommendation 2: The IRS will revise and implement its\nemergency plans based on the results of the aforementioned activities (in Recommendation 1).\n\n\n\n\n6\n  Federal Preparedness Circular 65 provides guidance to Federal executive branch departments and agencies for use\nin developing viable and executable contingency plans for the continuity of operations.\n                                                                                                        Page 20\n\x0c        Better Emergency Preparedness Planning Could\n              Improve Business Continuity Efforts\n\n\n\n                                                Appendix V\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                       Page 21\n\x0cBetter Emergency Preparedness Planning Could\n      Improve Business Continuity Efforts\n\n\n\n\n                                               Page 22\n\x0cBetter Emergency Preparedness Planning Could\n      Improve Business Continuity Efforts\n\n\n\n\n                                               Page 23\n\x0c'